EKS Keycloak Deployment: How to Implement

This guide walks through deploying Keycloak on Amazon EKS using a production-ready Terraform EKS cluster. Provision the cluster from the terraform-eks-cluster repo, then run Keycloak in pods with optional RDS and ALB.

Cloud and identity architecture
Keycloak on EKS: identity layer in front of your apps and APIs.

Prerequisites

  • Terraform >= 1.5.0, < 2.0.0
  • AWS credentials (e.g. AWS_PROFILE or env vars)
  • kubectl and helm (for Keycloak)

Step 1: Provision the EKS cluster

Clone the terraform-eks-cluster repo. The module can create a new VPC or use an existing one; it uses terraform-aws-modules/eks/aws with managed node groups, optional IRSA, KMS encryption, and control-plane logging.

Option A — Create VPC + EKS (default):

git clone https://github.com/timabiok/terraform-eks-cluster.git
cd terraform-eks-cluster
cp terraform.auto.tfvars.example terraform.auto.tfvars
# Edit: cluster_name, region, env, owner (if prod)

Ensure create_vpc = true, then apply:

terraform init
terraform plan
terraform apply

Option B — Use existing VPC:

create_vpc = false
vpc_id     = "vpc-xxxxxxxxxxxxxxxxx"
private_subnet_ids = ["subnet-aaa", "subnet-bbb", "subnet-ccc"]
# optional:
public_subnet_ids  = ["subnet-xxx", "subnet-yyy", "subnet-zzz"]
vpc_cidr_block     = "10.0.0.0/16"

Then run terraform init, plan, apply. Private subnets must have outbound connectivity (e.g. NAT) for nodes.

Configure kubectl:

aws eks update-kubeconfig --region <region> --name <cluster_name>
EKS and Keycloak architecture
EKS cluster in private subnets; Keycloak pods + RDS and ALB.

Repo inputs and outputs (schema)

Key variables from the repo:

InputDescription
create_vpcCreate VPC (true) or use existing (false)
cluster_nameEKS cluster name (required)
cluster_versionKubernetes version (e.g. 1.31)
region, env, ownerRegion, environment, owner (required when env = prod)

Outputs: vpc_id, private_subnet_ids, cluster_name, cluster_endpoint, cluster_oidc_issuer_url, configure_kubectl. Full list in repo README. Architecture schema: docs/ARCHITECTURE.md.

Step 2: Database (RDS or Aurora)

Keycloak supports PostgreSQL, MySQL, and MariaDB. Use RDS or Aurora PostgreSQL in the same VPC; Multi-AZ and automated backups for production. Store the connection string in Secrets Manager or Parameter Store and inject via env or IRSA.

Step 3: Deploy Keycloak on EKS

Use the official image and set the required env vars (replace placeholders from Secrets Manager or Parameter Store):

KC_DB=postgres
KC_DB_URL=jdbc:postgresql://your-rds-endpoint:5432/keycloak
KC_DB_USERNAME=keycloak
KC_DB_PASSWORD=<from-secrets>
KC_HOSTNAME=auth.yourdomain.com
KC_PROXY=edge
KC_HTTP_ENABLED=true

KC_PROXY=edge is required when TLS is terminated at an ALB. Deploy with a Kubernetes Deployment and Service; expose via ALB Ingress or AWS Load Balancer Controller.

Step 4: ALB and TLS

Place an Application Load Balancer in front of Keycloak. Terminate TLS at the ALB with an ACM certificate. Point the target group at the Keycloak Service (port 8080). Restrict Keycloak pods to private subnets and allow only the ALB security group to reach them.

Takeaways

  • Use terraform-eks-cluster for a production-ready EKS foundation (VPC optional, IRSA, encryption, logging).
  • Run Keycloak in EKS with RDS/Aurora for the DB and ALB for TLS; keep secrets in Secrets Manager or Parameter Store.
  • Use the repo's remote backend (e.g. S3 + DynamoDB) for production state.